Date: Sun, 8 Feb 2015 15:34:31 -0500 (EST) From: cve-assign@...re.org To: kseifried@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: kernel: v4l: videobuf: hotfix a bug on multiple calls to mmap() - Linux kernel -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > https://bugzilla.redhat.com/show_bug.cgi?id=620629 > > not sure if this ever got a cve (or needs one, depends on device perms) > http://linuxtv.org/irc/v4l/index.php?date=2010-07-29 > > [12:15] <posciak> I see there is no limit on count in v4l2_ext_ctrls > structure... This has a direct influence on kernel memory allocation > in do_ioctl2, i.e. userspace could pass big numbers and have kernel > allocate huge amounts of memory... but since kmalloc won't allocate > more than a couple of kilobytes, I guess there is not much of a > problem problem here... just mentioning :) > > [12:24] <posciak> I guess introducing a VIDEO_MAX_EXT_CTRLS_SIZE or > something like that would help, as you mentioned > > [12:53] <hverkuil> I thought that that patch was merged. I guess not, > I'll see if I can make it part of my controller fw patch series. Some > sort of sanity check there would be welcome. Use CVE-2010-5321 for the https://bugzilla.redhat.com/show_bug.cgi?id=620629#c0 "calling mmap enough times for the same buffer (offset) resulted in a new memory allocation by videobuf on each such call and losing the old allocation, resulting in a leak each time and the system running out of memory" issue. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU18d3AAoJEKllVAevmvms9B4IAKSnHhGpXLNE4kiGhTqj0kdl n5w6ARNyZJxAEv2FAdtjY79F9E/HakvMNqfx2+VowUEPi1T5G+6xWGYjpe/i7L88 ItCgc/q0nzb1zpUz0jckyrKFmbgtG2I424lGbrIzC74Yx0eGgUtKfz8ERtb+A5wu wS6Fo+tlmdyK0QUn+h6lopisOY8SgaTbWwuAigUa7iOTSBn+8s/qyuBs47Um7FXy sV+LJ23fm7YKSQ+2zDDvpPP4rq9LOwXlTN7Ka+MBJ4RHR4fUjeRV+t08wRRbddh8 gYaEAh0RLaiuKMSSm0nV25ZZSWy+A6qY1mcMMmeNWB2NUoaAP9ryEOZkWJym/ZM= =Rvy1 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ